<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

    <title>org.bhf.security.authorization</title>
    <meta http-equiv="Content-type" content="text/html; charset=iso-8859-1">

    <style type="text/css">
        body {
            background: #FFF;
        }
    </style>
</head>

<body>

<p>
This package contains classes common to both the authentication and
the authorization aspects of security.  The contract between authentication
and authorization is based upon <code>Subject</code> composition.
Successful authentication results in a <code>Subject</code>
that is populated with the following:
</p>

<ul>
    <li>
        One <code>org.bhf.security.common.UserID</code>
        as a <code>Principal</code>
    </li>
    <li>
        One <code>org.bhf.security.common.LoginID</code>
        as a public credential
    </li>
    <li>
        One <code>org.bhf.security.common.FullName</code>
        as a public credential
    </li>
    <li>
        Zero or more <code>org.bhf.security.common.Role</code>s
        as <code>Principal</code>
    </li>
</ul>

<p>
In addition, a <code>Subject</code> may also have zero or more
<code>PermissionPrincipals</code> - permissions assigned to the
<code>Subject</code> during the process of authentication rather
than through a security policy.
</p>

<p>
Before authorization is performed, the <code>Subject</code> resulting
from authentication and a <code>Project</code> must be placed in context
using <code>ContextSubject</code> and <code>ContextProject</code>
(respectively) or associated with the entire application by using
the set default methods in <code>RoleBasedSecurityManager</code>.
</p>

<p>
A small set of predefined <code>Permission</code> implementations
are contained within this package.  <code>DataPermission</code>,
representing clinical data, is one such implementation.
<code>PolicyPermission</code> protects changes to the project security
policy itself.  The caller must have <code>PolicyPermission</code>
in order to change the project security policy.  <code>QueryPermission</code>
can be used to restrict access to relational database table rows.
</p>

</body>
</html>